DHCP not receiving requests on ASA 5510

Answered Question

Hi,


I want to have open wireless access for Clients that visit seperate from our network.  I setup DHCP on interface 0/2 and though everything appears to be configured right it just isn't receiving or responding to DCHP requests.  If I monitor DHCP stats on the interface it shows 1 pool 0 requests


Here is what I have done:


Enabled interface 0/2 - Provided IP 10.0.27.15 - Named "OpenInternet"

Enabled DHCP scope on "JustInternet" as 10.0.27.100-10.0.27.200

Plugged a laptop directly into 0/2.

Released and renewed IP on laptop with no response



Is there some additional security I need to allow?  What am I missing?  I've cut and pasted some snipits from the running config.




!
interface Ethernet0/2
nameif OpenInternet
security-level 0
ip address 10.0.27.15 255.255.255.0
!

!
dhcpd address 10.0.27.100-10.0.27.200 OpenInternet
dhcpd dns 8.8.8.8 8.8.4.4 interface OpenInternet
dhcpd enable OpenInternet
!


Message was edited by: Robert Gillis

Correct Answer by mirober2 about 6 years 8 months ago

Hi Robert,


The captures show that the client's DHCP DISCOVER packets are reaching the ASA, but the firewall is not responding for some reason. Have you tried disabling and re-enabling the dhcpd process since you started troubleshooting this to see if that makes a difference? Try:


asa(config)# no dhcpd enable OpenInternet

asa(config)# dhcpd enable OpenInternet


Power cycling the firewall might also help in the event that the dhcp_daemon process got stuck somehow.


If that still doesn't work, can you let us know what version of ASA code you are running ('show version')? Also, what operating system version is the cilent using?


-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
bknoblau Tue, 07/20/2010 - 15:47
User Badges:

Robert,


I am making the assumption that you plugging  your laptop into 0/3 was a typo since you configured the interface on  0/2.  It appears that you have configured the interface for dhcp  properly.  If you give your laptop a static IP address within the  10.0.27.x range are you able to ping the interface of the ASA when  connected?  In addition, could you attach the "show interface" output to  this thread?


Regards,


BK

Correct, I meant 0/2.  I changed that up there.


I can't try to statically assign it as I'm home now with no access to that laptop; however I think you are on to something when I showed the interface config via telnet.  Seems it claims the interface is down though the ASDM shows everything I know to look at as to the fact it's enabled and up.  How can I fix that (i'm not a Cisco guy).  I doubt it, but it could just be that the laptop is the only thing plugged into it and the laptop is probably asleep now.  Link should stay active though I would think.


Interface Ethernet0/2 "OpenInternet", is down, line protocol is down

  Hardware is i82546GB rev03, BW 100 Mbps

        Auto-Duplex, Auto-Speed

        MAC address 000a.b89c.e6a2, MTU 1500

        IP address 10.0.27.15, subnet mask 255.255.255.0

        11447275 packets input, 8221504873 bytes, 596 no buffer

        Received 11447275 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 6030778 overrun, 0 ignored, 0 abort

        455017 L2 decode drops

        2 packets output, 128 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (0/0) software (0/0)

        output queue (curr/max blocks): hardware (0/1) software (0/0)

  Traffic Statistics for "OpenInternet":

        909 packets input, 103688 bytes

        1 packets output, 28 bytes

        890 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Actually it was because the laptop was in sleep mode.  I woke it up and the lines went UP.


Yes I can ping 10.0.27.15 if I statically assign an IP.


Yes I have tried other machines other than this laptop.


Interface Ethernet0/2 "OpenInternet", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address 000a.b89c.e6a2, MTU 1500
        IP address 10.0.27.15, subnet mask 255.255.255.0
        11447633 packets input, 8221545570 bytes, 596 no buffer
        Received 11447629 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 6030778 overrun, 0 ignored, 0 abort
        455017 L2 decode drops
        7 packets output, 504 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (5/0) software (0/0)
        output queue (curr/max blocks): hardware (0/1) software (0/0)

mirober2 Wed, 07/21/2010 - 08:22
User Badges:
  • Cisco Employee,

Hi Robert,


Try gathering the output of 'debug dhcpd packet' and 'debug dhcp event' during a time when your client is looking for an IP address. That might give some clue as to what's going on.


Packet captures would also be helpful so you can see exactly where the requests are failing. You could setup a capture like this:


capture dhcp-cap interface OpenInternet match udp any any range 67 68


-Mike

I ran the following to commands and received "enabled at level 1".  I then had the dhcp client searching for a server and ran the commands several times during this period with the same results.


CDG515ASA01# debug dhcpd packet
debug dhcpd packet enabled at level 1
CDG515ASA01# debug dhcpd event
debug dhcpd event enabled at level 1



Next I tried to setup this command however it had an issue with "MATCH" I believe it was.



CDG515ASA01# capture dhcp-cap interface OpenInternet match udp any any range 67 68

capture dhcp-cap interface "OpenInternet" match udp any any range     

                                                             ^
ERROR: % Invalid input detected at '^' marker.



Thanks for all your help so far!

mirober2 Wed, 07/21/2010 - 09:29
User Badges:
  • Cisco Employee,

Hi Robert,


Sorry, I should have asked what version you are running before giving you the capture command. Use this instead:


access-list dhcp-acl permit udp any any range 67 68

capture dhcp-cap access-list dhcp-acl interface OpenInternet


Once that's done, have the client try to request an address again. Next, look at the output of 'show cap dhcp-cap' and let us know if you see 2-way communication between the client and the ASA.It would also be helpful to pull the capture off the ASA in PCAP format so we can look at it in Wireshark. You can do that by browsing to this link and saving the file:


https:///capture/dhcp-cap/pcap


-Mike

Well it took a while but I think i got it going.  Show dchp-cap doesn't work for me, but please understand that I barely know how to work this equipment unfortunately, but I'm learning.  I had to look up how to get in and out of config mode.  :$   The Pcap output is fine I think.


It has null characters so I will attach the txt file rather than copy-pasting.

Correct Answer
mirober2 Wed, 07/21/2010 - 11:15
User Badges:
  • Cisco Employee,

Hi Robert,


The captures show that the client's DHCP DISCOVER packets are reaching the ASA, but the firewall is not responding for some reason. Have you tried disabling and re-enabling the dhcpd process since you started troubleshooting this to see if that makes a difference? Try:


asa(config)# no dhcpd enable OpenInternet

asa(config)# dhcpd enable OpenInternet


Power cycling the firewall might also help in the event that the dhcp_daemon process got stuck somehow.


If that still doesn't work, can you let us know what version of ASA code you are running ('show version')? Also, what operating system version is the cilent using?


-Mike

Didn't work. 


I have blown away this configuration and recreated at least 7 times with different names.  I even tried making a new vlan interface from 0/2.  Finally I had to resort to asking for help. 



Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)


Client is Win Xp sp3


I can't power cycle the device till later this evening since that will drop everyone in the office as well as a few VPN users that are in it right now, but I will let you know what happens after I do.


Thanks a whole lot for your help so far.

Nagaraja Thanthry Wed, 07/21/2010 - 11:57
User Badges:
  • Cisco Employee,

Hello,


Do you have an access-list on that interface? If yes, can you add an entry

like "access-list   line 1 permit ip host 0.0.0.0 host

255.255.255.255"?


Hope this helps.


Regards,


NT

Actions

This Discussion

Related Content